CVE-2025-7955 CRITICAL

CVE-2025-7955: RingCentral Communications 1.5 - 1.6.8 - Missing Server‑Side Verification to Authentication Bypass via ringcentral_admin_login_2fa_verify Function

Vendor Pbmacintyre
Product RingCentral Communications Plugin – FREE
Weakness CWE-287 · Improper authentication
Published August 28, 2025
Last update August 28, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This makes it possible for unauthenticated attackers to log in as any user simply by supplying identical bogus codes.

Explanation of Vulnerability in Simple Terms

02Summary

The RingCentral Communications Plugin for WordPress versions 1.5 through 1.6.8 contains an authentication bypass vulnerability. An attacker can gain unauthorized access to the plugin without valid credentials. No user interaction or special privileges are required. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Gain full unauthorized access to the plugin without providing valid credentials.

Potential impact on your site

04Site Impact

Attackers can access, modify, or disrupt RingCentral plugin functionality and potentially the site itself.

Conditions required to exploit

05Prerequisites

Network access only; no authentication, special privileges, or user interaction required.

Key dates

06Disclosure timeline

August 28, 2025 CVE published
August 28, 2025 Record updated